From: Johannes Anderwald <johannes.anderwald@reactos.org>
Date: Fri, 21 Aug 2009 18:36:43 +0000 (+0000)
Subject: - Fix a few bugs
X-Git-Tag: ReactOS-0.3.11~1048
X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=6f2463f07d545c41c4a56e3d2a31a861eff6449c

- Fix a few bugs
- Bug1 - BufferOverflow
- Bug2 - ks expects a '\\' for each pin creation request
- Bug3 - ObjectLength was not correctly set, thus truncating the request
- Bug4 - Zero byte was not set at correct offset, potentialy leading to a heap overflow

svn path=/trunk/; revision=42832
---

diff --git a/reactos/dll/directx/ksuser/ksuser.c b/reactos/dll/directx/ksuser/ksuser.c
index 0e7654972e3..eab5a5b0f99 100644
--- a/reactos/dll/directx/ksuser/ksuser.c
+++ b/reactos/dll/directx/ksuser/ksuser.c
@@ -44,18 +44,19 @@ KsiCreateObjectType( HANDLE hHandle,
 
     Length = wcslen(IID);
 
-    TotalSize = (Length * sizeof(WCHAR)) + BufferSize + 2 * sizeof(WCHAR);
+    TotalSize = (Length * sizeof(WCHAR)) + BufferSize + 4 * sizeof(WCHAR);
 
     pStr = HeapAlloc(GetProcessHeap(), 0, TotalSize);
     if (!pStr)
         return STATUS_INSUFFICIENT_RESOURCES;
-
-    wcscpy(pStr, (LPWSTR)IID);
-    pStr[Length] = L'\\';
-    memcpy(&pStr[Length+1], Buffer, BufferSize);
-    pStr[Length+1+BufferSize] = L'\0';
+    pStr[0] = L'\\';
+    wcscpy(&pStr[1], (LPWSTR)IID);
+    pStr[Length+1] = L'\\';
+    memcpy(&pStr[Length+2], Buffer, BufferSize);
+    pStr[Length+3+(BufferSize/sizeof(WCHAR))] = L'\0';
 
     RtlInitUnicodeString(&ObjectName, pStr);
+    ObjectName.Length = ObjectName.MaximumLength = TotalSize;
 
     InitializeObjectAttributes(&ObjectAttributes, &ObjectName, OBJ_CASE_INSENSITIVE, hHandle, NULL);